Securely operating a process using user-specific and device-specific security constraints

ABSTRACT

A method for enforcing secure processes between a user and a device involves determining that the user has initiated installation of a secure application, installing the RA part of the secure application, triggering a trusted UI session upon realization that the TA part of the secure application is not installed, receiving, via the trusted UI session, user credentials for authenticating the user and enforcing user-specific and device-specific security, cryptographically signing combined user credentials with a cryptographic signature to obtain an authentication object, passing the authentication object to a service provider associated with the secure application for extraction of the user credentials, and generating an authorization token permitting the installation of the TA part of the secure application upon verification of the cryptographically signed authentication object.

BACKGROUND

A single mobile device/tablet may have different owners during itslifetime. Conventionally, a user is linked to a service provider by auser account created by the user. The user account is used by serviceproviders to install applications within the device. The user isidentified/authenticated on the device itself, at the rich executionenvironment (REE) level of the operating system (OS) of the device, andcredentials are exchanged with the service provider back-endinfrastructure to facilitate authentication of the user.

SUMMARY

In general, in one aspect, embodiments disclosed herein relate to amethod comprising determining that a user has initiated an installationof a secure application on a device owned by the user, the secureapplication comprising a rich application (RA) part and a trustedapplication (TA) part, wherein the rich application part operates usingresources shared with other applications, and wherein the trustedapplication part operates in an isolated execution environment withfunctionality to provide security services to the rich application part,installing the RA part of the secure application on the device,triggering, by the RA executing on the device, a trusted user interface(UI) session, upon realization that the TA part of the secureapplication is not installed in the isolated execution environment onthe device, wherein the trusted UI session is initiated to enforceuser-specific and device-specific security criteria, receiving, via thetrusted UI session, user credentials for authenticating the user,combining the user credentials with a unique identifier of the isolatedexecution environment in which the TA part of the secure applicationoperates to obtain combined user credentials, cryptographically signingthe combined user credentials with a cryptographic signature to obtainan authentication object, wherein the authentication object facilitatesthe enforcement of the user-specific and the device-specific securitycriteria, passing the authentication object to a service providerassociated with the secure application for extraction of the usercredentials, and generating, by an authorization entity, anauthorization token permitting the installation of the TA part of thesecure application, upon verification of the cryptographically signedauthentication object.

In general, in one aspect, embodiments disclosed herein relate to asystem, comprising a device on which the installation of a secureapplication is initiated by a user, wherein the device is owned by theuser, a service provider configured to provide the secure application tobe installed on the device, the secure application comprising a richapplication (RA) part and a trusted application (TA) part, wherein therich application part operates using resources shared with otherapplications, and wherein the trusted application part operates in anisolated execution environment with functionality to provide securityservices to the rich application part, and a back-end server comprisingan authorization entity configured to generate an authorization tokenpermitting installation of the TA part of the secure application, uponverification of an authentication object, wherein, when installation ofthe secure application is initiated by the user, the RA is configured torequest a user-binding TA in the isolated execution environment toinitiate a trusted user interface (UI) session by which user credentialsare obtained from the user, wherein the authentication object isgenerated by: combining the user credentials obtained via the trusted UIsession with a unique identifier of the isolated execution environmenton the device to obtain combined user credentials, and cryptographicallysigning the combined user credentials using a cryptographic signature toobtain the authentication object, wherein the service provider isfurther configured to receive the authentication object from the RA partof the secure application to check the user credentials, and wherein theback-end server is configured to verify the cryptographically signedauthentication object, and, using the verified authentication object,generate the authorization token authorizing the installation of the TApart of the secure application.

In general, in one aspect, embodiments disclosed herein relate to anon-transitory computer readable medium comprising instructions that,when executed by a computer processor, perform a method comprisingdetermining that a user has initiated an installation of a secureapplication on a device owned by the user, the secure applicationcomprising a rich application (RA) part and a trusted application (TA)part, wherein the rich application part operates using resources sharedwith other applications, and wherein the trusted application partoperates in an isolated execution environment with functionality toprovide security services to the rich application part, installing theRA part of the secure application on the device, triggering, by the RAexecuting on the device, a trusted user interface (UI) session, uponrealization that the TA part of the secure application is not installedin the isolated execution environment on the device, wherein the trustedUI session is initiated to enforce user-specific and device-specificsecurity criteria, receiving, via the trusted UI session, usercredentials for authenticating the user, combining the user credentialswith a unique identifier of the isolated execution environment in whichthe TA part of the secure application operates to obtain combined usercredentials, cryptographically signing the combined user credentialswith a cryptographic signature to obtain an authentication object,wherein the authentication object facilitates the enforcement of theuser-specific and the device-specific security criteria, passing theauthentication object to a service provider associated with the secureapplication for extraction of the user credentials, and generating, byan authorization entity, an authorization token permitting theinstallation of the TA part of the secure application, upon verificationof the cryptographically signed authentication object.

Other aspects will be apparent from the following description and theappended claims.

BRIEF DESCRIPTION OF DRAWINGS

FIGS. 1-2 show schematic diagrams in accordance with one or moreembodiments disclosed herein.

FIG. 3 shows an example implementation of binding a device to a user inaccordance with one or more embodiments disclosed herein.

FIG. 4 shows a flowchart in accordance with one or more embodimentsdisclosed herein.

FIG. 5 shows a computer system in accordance with one or moreembodiments disclosed herein.

DETAILED DESCRIPTION

Specific embodiments will now be described in detail with reference tothe accompanying figures. Like elements in the various figures aredenoted by like reference numerals for consistency.

In the following detailed description of embodiments, numerous specificdetails are set forth in order to provide a more thorough understanding.However, it will be apparent to one of ordinary skill in the art thatembodiments disclosed herein may be practiced without these specificdetails. In other instances, well-known features have not been describedin detail to avoid unnecessarily complicating the description.

In general, one or more embodiments disclosed herein provide a methodand system for binding a user to his/her device. Binding a user to adevice results in the enforceability of user-specific anddevice-specific security criteria. Specifically, one or more embodimentsrelate to associating a user to the trusted execution environment (TEE)of his/her device in order to remotely manage sensitive applicationsrelated to the user within his/her device.

FIG. 1 shows a schematic diagram of a client/server topology inaccordance with one or more embodiments. Specifically, FIG. 1 shows asystem (100) including a back-end server (102) and multiple clientdevices (116, 118, 120) with which the back-end server (102)communicates based on input from an application service provider (104).Each of the aforementioned components of the system (100) are describedbelow.

Each client device (116, 118, 120) may be a portable electronic devicesuch as a smart phone, tablet, gaming device, or any other suitableelectronic device having Internet capability. In one or moreembodiments, each device (116, 118, 120) may include a trusted executionenvironment (TEE). More specifically, TEE software may be installed bythe client device manufacturer such that the TEE software automaticallyexecutes on the client (116, 118, 120) for certain applications whichrequire use of sensitive data. Content providers of secure applications(i.e., applications which require user sensitive data) must comply withthe TEE platform and structural requirements. The TEE environment isdiscussed in detail in FIG. 2 below.

In one or more embodiments, TEE is a secure area in the client device(e.g., a smart phone, tablet, or any other suitable electronic device)and ensures that sensitive data is stored, processed and protected in atrusted environment. More specifically, the client device operatingsystem (OS) may be partitioned into a rich execution environment (REE)and the TEE. The TEE is an isolated execution environment with its ownset of hardware and software components that runs in parallel with butseparate from the REE, providing security services to the Rich OSenvironment. REE is an environment that is provided and governed by theRich OS, which is outside of the TEE. The Rich OS is a more complete OS,developed with functionality and performance as key goals, rather thansecurity, and thus, runs with lower security boundaries. From theperspective of the TEE, the REE and applications running on the REE areconsidered un-trusted. In contrast, the TEE executes a trusted OS, whichis designed to enable the TEE using security based design techniques.

Returning to the description of FIG. 1, each client device (116, 118,120) may be operated by a user (not shown). The user may be any personor entity using the client device. The client device (116, 118, 120) maybe owned by the user, or in one or more embodiments of the user, may beowned by a company, university, government agency or other entity thatpermits the use of the client device by the user, for example. In one ormore embodiments, the mapping between the user and the TEE executing onthe client device (116, 118, 120) depends on the owner of the clientdevice at a given time. Each client device (116, 118, 120) executesapplications known as trusted application (TAs) within the TEE. The TAis configured to manage sensitive information on behalf of the user ofthe client device or the service provider (104). To this end,embodiments disclosed herein ensure that a TA is managed within thecorrect TEE that is bound to the user.

In one or more embodiments, the back-end server (102) is a serverconfigured to manage remote options on the client device by generatingand transmitting authorization tokens. More specifically, the back-endserver (102) is configured to sign and authorize a TA to be installedwithin the TEE of a client device prior to installation of the TA on theclient device (116, 118, 120). In one or more embodiments, the back-endserver (102) includes an authorization entity (106), a trusted servicemanager (110) and a user-to-TEE mapping (112).

The authorization entity (106) is a server side authority configured toauthorize remote operations such as installing/deploying of TAs,upgrading of TA software on the client, de-installing TAs, etc., on theclient device (116, 118, 120). The authorization entity (106) may be theowner of the device hosting the SoC, the original equipment manufacturer(OEM), or a third party. The authorization entity (106) communicateswith each client device (116, 118, 120) via the Internet (122), anyother suitable network, or using any other form of communication amongcomponents on one or more devices. The authorization entity includesfunctionality to generate authorization tokens (108). More specifically,the authorization entity (106) authorizes remote operations of the TEEby signing related authorization tokens (108). The authorization entityhas a counterpart component within the client device TEE. Thiscounterpart component (not shown) resides in the TEE on the clientdevice and hosts the cryptographic key that is used by the authorizationentity to cryptographically sign authorization tokens directed to thatparticular TEE. In one or more embodiments, in order to restrict theauthorization tokens (108) for a TA management operation to a given TEE,the authorization entity (106) binds the authorization of a remoteoperation related to a TA to a given TEE identifier. Details on how sucha binding is performed is discussed in FIGS. 3-4 below.

In one or more embodiments, the back-end server (102) also includes atrusted service manager (TSM) (110). The TSM (110) is a communicationentity that provides secure communication within a given client devicein the field. Specifically, in one or more embodiments, the TSM (110)receives the authorization token (108) generated by the authorizationentity (106), and passes the authorization token and relatedadministrative operations to the counterpart component representing theauthorization entity within the TEE on the client device (116, 118,120).

The user-to-provider mapping (112) on the back-end server (102) is aservice provided by the back-end server (102) and the TEE that isconfigured to store a data structure such as a table, a list, etc.,mapping each client device (116, 118, 120) to the TEE identifier thatuniquely identifies the TEE on the client device, as well as acryptographic key unique to each device, which may be used to verify theauthenticity of user-binding requests. More specifically, theuser-to-provider mapping (112) uses the TEE to map a physical user to anaccount linked to the ASP (104). The user-to-provider mapping (112) mayoptionally store a list of the applications installed on the clientdevice, and/or a number of times a particular type of operation has beenapproved by the user, etc.

In one or more embodiments, the ASP (104) is configured to request toperform an operation on the client device through the back-end server(102). The ASP (104) may be any application content provider that isresponsible for managing the applications on the client device. Morespecifically, the ASP (104) is an entity that is willing to leverage thebenefit of having a TA within TEEs to secure their TEE applications. Inone or more embodiments, an application provided by the ASP (104) may bedivided into two parts: an ASP REE application part and an ASP TEEapplication (or SP TA) part. The ASP (104) may install the ASP REEapplication part within the REE on the client device and delegate allsensitive operations and store all sensitive data within the related ASPTA part within the TEE on the client device. Such a divided two partapplication may be implemented when the ASP (104) is a content providerfor trusted/secure applications executing in the TEE of the client, suchas, for example, a banking service provider, a payment systems serviceprovider, etc. The ASP (104) may also be the company or entity that ownsthe client device, when the client device is not a personal device ofthe user operating the client device. In one or more embodiments, theASP (104) has a trusted relationship with the trusted authority (106) ofthe back-end server (102). That is, the ASP (104) is pre-authenticatedwith the back-end server (102), thereby allowing the back-end server(102) to trust that the content provided by the ASP (104) is securecontent. The ASP (104) may pay the authorization entity (106) to havethe ability to install its TA within the TEE of the client device of auser who paid for the ASP service. The ASP (104) may also optionally paythe TSM to manage its related TA online.

In one or more embodiments, the ASP (104) may request to perform anytype of device management operation on the TEE client (116, 118, 120).For example, the ASP (104) may request to install/deploy an applicationin the TEE environment of the client device. Alternatively, the ASP(104) may request to perform a security patch update to an essentialapplication, uninstall an application from the client device, or anyother suitable management operation associated with applicationsexecuting on the client device.

The invention is not limited to the system shown in FIG. 1.

FIG. 2 shows an example system architecture that may be implemented on aclient device. Specifically, FIG. 2 shows the SoC (202) hosting the REE(216) and the TEE (204) executing on the client device. Both the REE(216) and the TEE (204) interface with the hardware (230) of the clientdevice. Each of the aforementioned components are described in detailbelow.

Initially, it is noted that the TEE architecture enables a level ofsecurity sufficient for a significant number of applications upon whichthe application service provider may wish to perform an operation. Inone or more embodiments, the TEE is configured to perform sensitiveoperations subject to security protection on the client device, such as,for example, banking operations, payment operations, etc. The TEEarchitecture is defined in the document entitled “GlobalPlatform DeviceTechnology TEE System Architecture” version 1.0, dated December 2011.The communication between applications running in a rich operatingenvironment and the applications residing in the TEE is defined in thedocument entitled “GlobalPlatform Device Technology TEE Client APISpecification” version 1.0, dated July 2010. The TEE system architectureand the TEE Client API Specification are incorporated by reference intheir entirety. The invention is not limited to a particular version ofTEE architecture or a particular version of the Client APISpecification.

Turning to FIG. 2, the SoC (202) is an electronic subsystem on thedevice, all of whose components are included in a single integratedcircuit. In one or more embodiments, both the REE (216) and the TEE(204) are part of the SoC in a typical chipset architecture. The TEE(204) may be made up of a separate on-chip security subsystem within theSoC, or may operate as a portion of each of the SoC components (i.e.,the RAM, ROM, Crypto Accelerators, Processing Core(s), peripherals,etc.). As described above, the primary purpose of the TEE is to protectits assets from the REE (216) through hardware mechanisms which arebeyond the REE's control. For example, the TEE provides trusted storageof data and keys, where the storage of data is bound to the device sothat no unauthorized internal or external attacker may access, copy, ormodify the data contained within the TEE.

Each of the REE (216) and the TEE (204) include similar components thatare specific to the environment in which the components execute. Forexample, the REE (216) includes client applications (218) which aretypically not secure applications requiring use of sensitive data, andcorrespondingly, the TEE (204) includes TEE applications also namedtrusted applications (208) which provide security related functionalityto client applications (218) outside of the TEE (i.e., in the REE). Aclient application is any application that runs in the REE, and atrusted application is any application that runs in the TEE. A clientapplication may use one or several trusted applications. For example,PayPal® is a client application, which may use a trusted application tomanage its credentials (the “PayPal credential management” trustedapplication). In one or more embodiments, when secure applications aredownloaded by the user of the device, the secure applications areinstalled in two parts; first, the RA part is installed onto the device,and subsequently, after binding of the user to the device/TEE, the TApart of the application is installed.

Continuing with FIG. 2, the TEE functional API (228) in the REE (216) isan REE software interface dedicated to exposing an inbuilt TEEcapability, such as cryptography, for the client application (218)developer. On the TEE (204) side, the TEE exposes sets of applicationprogramming interfaces (APIs) to enable communication from the REE andothers to use trusted software functionality within the TEE. Morespecifically, the trusted OS is the hosting code that provides aninternal API to trusted applications which run on top of the trusted OS,and a proprietary method to enable the client device API software tointerface with the TEE from other execution environments. The TEEinternal API (214) is one of these APIs exposed by the Trusted OS (206)to trusted applications (208), allowing them to exploit the featuresdefined in the trusted OS (206) and to communicate with the Rich OS(220).

On the REE (216) side, the TEE client API (226) is a communicationinterface designed to enable a client application running in the Rich OS(220) to access and exchange data with a trusted application (208) inthe TEE (204). The Rich OS (220) is an OS providing a wider variety offeatures than that of the Trusted OS (206) in the TEE (204). The Rich OSis built with functionality and performance as key goals, and has anopen ability to accept applications. The Rich OS (220) includes a REEcommunication agent (224) and a public device drivers (222). The REEcommunication agent (224) is a Rich OS (220) driver that enablescommunication between the REE (216) and the TEE (204). Public devicedrivers (222) are drivers which allow communication with publicperipherals (234) in the device hardware (230). Public peripherals (234)may include input/output devices. As the REE cannot directly call to TEEfunctions, the REE software goes through protocols such that the trustedOS or TA performs the verification of the acceptability of any operationthat the REE software requests.

In contrast, the Trusted OS (206) is limited in that it is built toenable the TEE using security based design techniques. The Trusted OS(206) provides the TEE internal API to TAs (208) and a proprietarymethod to enable the TEE client API software interface from otherexecution environments. The Trusted OS (206) includes a TEEcommunication agent (210) and a trusted kernel/trusted functions (212).The TEE communication agent (210) is a Trusted OS (206) driver thatenables communication between the REE (216) and TEE (204). The trustedkernel/trusted functions (212) are Trusted OS (206) components dedicatedto exposing an inbuilt TEE capability, such as cryptography. The trustedkernel/trusted functions (212) also allow for communication with trustedperipherals (232) in the device hardware (230). Trusted peripherals(232) may include input/output devices associated with a trusted UIsession (described in detail below). Further, although not shown in FIG.2, the TEE is configured to provide trusted storage of data and keyssuch that no unauthorized internal or external attacker may access,copy, or modify the data contained in trusted storage.

The invention is not limited to the system architecture shown in FIG. 2.

FIG. 3 shows an example implementation for binding a user to the TEE ofhis/her device. FIG. 3 shows a device (302) having an REE (304), a TEE(306) and hardware (308), which may include peripheral devices, such asinput/output devices. Each of these components are described in detailbelow.

As described above, embodiments of the invention provide a system andmethod to identify/authenticate a user and bind the user to the TEE(306) associated with the device (302), by relying on the robustness ofthe TEE itself. As described generally with respect to FIG. 2 above, theREE (304) runs separate from the TEE (306), and includes its own set ofapplications (320) and a Rich OS (316). Applications executing in theREE (304) are not used for sensitive data, and thus, the REE application(RA) (320) may be any application that does not require user credentialinformation, financial information, or other sensitive information to beinput by the user. The TEE (306) hosts a trusted OS (314) and a TA (322)associated with the RA (320), which may be used by the RA (320) runningin the REE to delegate sensitive security operations, which must beperformed on the TEE. In other words, an RA (320) may have a TA (322)counterpart hosted by the TEE (306), which the RA (320) uses for secureoperations. For example, a banking application may systematicallyleverage the TEE (306), and may have one or more trusted application(TA) parts corresponding to an RA, where the TA part is used to executeoperations with the user's confidential and secure data. The RA portionof the application executes in the REE and does not handle sensitivedata. In contrast, the TA part of the banking application may handle thesensitive data of the user and perform secure operations on behalf ofthe user. It is noted that application developers/service providers mustcode such applications to leverage the security features of the TEE, asuse of the TEE, TAs within the TEE, and other TEE security features donot occur by default.

In one or more embodiments, when a user attempts to load the TA (322)application part of an ASP RA application, the user-binding process isinitiated (described in FIG. 4 below). To this end, in one or moreembodiments, the TEE (306) hosts a user-binding TA (312), which may beused by the RA (320) to establish a binding between the device (302) anda user account from the service provider (e.g., 104 in FIG. 1) whoprovided the RA (320). The user-binding TA (312) is a system TA that isalways present as part of the TEE (306) and provides a user bindingservice to any REE application or any TA. More specifically, in one ormore embodiments, the user-binding TA (312) executing on the TEE (306)is configured to identify and authenticate the user of the device via atrusted UI session (310). In one or more embodiments, the trusted UIsession (310) may be initiated by the REE (304) and is a secure UI thatis used to bind the user to the device, and by extension, the TEE (306)of the device. The user-binding TA (312) may be dedicated to a givenservice provider or to a group of service providers.

Alternatively, in one or more embodiments, the TA (322) part of a secureapplication may not be available when the RA (320) part is installed andfirst runs. In such cases, the user-binding TA (312) executing in theTEE (306) may be used by the RA (320) to perform a binding between theuser and the device on behalf of the RA's (320) service provider (notshown in FIG. 3).

Continuing with the example of FIG. 3, the trusted UI session (310) is agraphical user interface presented to the user on the client device thatis specifically associated with the TEE of the device or even the userof the device. The trusted UI session (310) is part of the global TEEplatform. In one or more embodiments, the trusted UI session is a uniqueuser interface that is noticeably distinct from the normal UT which istypically presented to the user for non-TEE related operations. Saidanother way, the trusted UI session (310) is specific to a device andmay be customized by the user to present a security indicator of sometype when the trusted UI session (310) is operating. The term UI as usedherein may include the keyboard, the touchscreen, the biometric sensor,the screen/frame buffer, and more generally, any sensor or peripheral ofthe client device implying user input and/or output. For example, duringa trusted UI session (310), a dedicated light (LED) on the device may beenabled when such a session is initiated. Alternatively, any othersuitable UI feature may be presented to indicate the execution of atrusted UI session (310) that only the user knows, such as a word orphrase and/or a picture that the user provided may display on a portionof the UI screen. Accordingly, the user of the device recognizes themanner in which a trusted UI is presented and when a trusted UI sessionis running on the device. In one or more embodiments, the trusted UIsession (312) is configured to query the user for user credentials andcan be customized per and by a given ASP. User credentials may be ausername/password, a one-time password (OTP), biometric information suchas a fingerprint scan or retina scan, or any other suitable informationthat may be used to identify and authenticate the user of the device.The trusted UI session is also configured to protect the informationprovided by the user. The user credentials are not disclosed to theoutside REE OS, but rather, stay only within the TEE (306) and are notaccessible from other applications in the REE. In addition, the trustedUI session (310) wraps the user credentials cryptographically to protectthe sensitive data. In one or more embodiments, the original version ofthe user credentials are deleted, and the trusted UI session (310)passes only the cryptographically wrapped version for validation andverification to the service provider via the REE (304).

In one or more embodiments, the TEE (306) is configured to obtain theuser credentials from the user via the trusted UI session (310) andbinds the user credentials to the TEE identifier of the TEE. In one ormore embodiments the TEE identifier is stored in the hardware (308) ofthe device (302). The TEE identifier uniquely identifies the TEEinstalled on the device (302). In one or more embodiments, the TEEidentifier may be the same as the device ID which uniquely identifiesthe device (302). In one or more embodiments, the user credentials maybe hashed or encrypted and concatenated with the device ID/TEEidentifier. The operation used to obtain the derived user credentialsmay be a Message Digest or any other suitable encryption operation usinga cryptographic key. Alternatively, no operation on the user credentialsmay be performed, i.e., the operation is nil and the derived usercredentials are equivalent to the original user credentials. In one ormore embodiments, the derived user credentials are then used to generatewhat is known as an authentication object. In one or more embodiments,the authentication blob may be any authentication object, such as forexample, an authentication binary large object (blob) (318). Morespecifically, the authentication blob (318) may be calculated by thefollowing equation: Authentication Blob=(Derived(user credentials)+TEEIdentifier). The entire authentication blob calculated by the aboveequation is cryptographically signed. Subsequently, the authenticationblob (318) may be passed to the service provider that may verify thecredentials and may pass the authentication blob to another entity (suchas the authorizing entity) that may authenticates the authenticationblob by verification of the cryptographic signature.

A variant is that the Authentication blob includes also the ASPinformation displayed during the Trusted UI session. The ASP informationmay be used to customize the Trusted UI session for a given ASP. Thus,in one or more embodiments, the Authentication Blob=(ASPinformation+Derived(user credentials)+TEE Identifier). Alternatively, inone or more embodiments, the Authentication blob may also include theASP information displayed during the Trusted UI session. The ASPinformation may be used to customize the Trusted UI session for a givenASP. Thus, in one or more embodiments, the AuthenticationBlob=(Derived(ASP information)+Derived(user credentials)+TEEIdentifier). The derived ASP information may be in clear, hashed orencrypted form.

The invention is not limited to the TEE architecture shown in FIG. 3.

FIG. 4 shows a flowchart for binding a user to a device in accordancewith one or more embodiments. More specifically, FIG. 4 describes theprocess that is performed by the systems of FIGS. 1-3 to facilitate userbinding to the TEE of the user's device. While the various steps inthese flowcharts are presented and described sequentially, one ofordinary skill will appreciate that some or all of the steps may beexecuted in different orders, may be combined or omitted, and some orall of the steps may be executed in parallel. Furthermore, the steps maybe performed actively or passively. By way of an example, determinationsteps may be performed by checking stored data to test whether the datais consistent with the tested condition in accordance with one or moreembodiments.

Initially, a determination is made as to whether the installation of anapplication on the client device is initiated (ST 400). The installationof an application on the client device may be initiated by the user.Alternatively, the installation of an application on the client devicemay be initiated by the service provider with which that application isassociated. That is, because the process of binding a user to the TEE ofthe user's device occurs when installation of a trusted application thatrequires sensitive data of the user is initiated on the device, theinitial step of the process (ST 400) require the determination to bemade that the user wishes to install an application onto his/her device.Those skilled in the art would appreciate that when the installation ofan application that executes completely within the REE is initiated, theprocess of FIG. 4 may end after step 404, or alternatively, wait untilan operation associated with a TEE application is performed. That is,the process of FIG. 4 occurs whenever the user requires, i.e., at anytime when the user downloads a secure application having both an RA partand a TA part.

Those skilled in the art would also appreciate that the user bindingprocess is not limited to being performed when installation of a TEEapplication occurs. For example, the user binding process may also occurupon updating a TEE application on the device, un-installing a TEEapplication on the device, or any other suitable operation associatedwith a TEE application that may be performed on the device. Morespecifically, for example, the user binding process may also beinitiated when a manufacturer installed TEE application requires asecurity patch.

Upon making the determinations that the application being installed (orupdated, de-installed, etc.) is a TEE application, installation of theRA portion of the application commences (ST 404). At this stage, adetermination is made as to whether the TA part of the application ispresent (ST 406). When the TA part of the application being installed bythe ASP is already present in the TEE of the client device, the processends. However, when the REE or RA part of a secure application noticesthat its corresponding TA part is not present, the REE triggers a userbinding session (ST 408) through the user-binding TA (412). Morespecifically, in one or more embodiments, before the trusted applicationis installed, the REE portion of the application triggers theinteraction with the user, via a trusted UI session (ST 408) managed bythe user-binding TA. The trusted UI session appears on the UI (displayscreen) of the client device, which is recognized by the user as asecure session by at least one security identifier presented on thedevice, such as a colored LED light or a specifically sentence/phrase onthe UI screen.

In this scenario, the RA application part requests the user-binding TAto establish a Trusted UI session and the user is prompted for usercredentials by the trusted UI session (ST 410). As described above, theuser credentials may be a username/password, biometric information, anOTP, etc. Upon receiving the user credentials from the user via thetrusted UI session (ST 410), the user-binding TA wraps the usercredentials in an encrypted layer for protection and discards theoriginal user credentials. Next, the user-binding TA generates theauthentication blob by performing a cryptographic signature operation onthe derived user's credentials (ST 412). Specifically, the user-bindingTA then performs one or more cryptographic operations to combine theuser credentials with the device identifier of the device and withconfidential and device-specific information stored in the user-bindingTA. The resulting Authentication blob is then returned to the RA.

In one or more embodiments, at the time the authentication blob isgenerated in ST 412 (i.e., in parallel with ST 412, for example), theTEE identifier is obtained by the user-binding TA. More specifically,the user-binding TA obtains the TEE identifier during generation of theauthentication blob, by making a trusted OS call to obtain the TEEidentifier stored in the hardware of the device. At the end of ST 412,the Authentication blob is returned by the user-binding TA to the RA.

The Authentication blob may then be sent by the RA to the serviceprovider (ST 414). The ASP is then able to extract and check the usercredentials and device identifier from the authentication blob, and isfurther configured to have the user-to-provider mapping in the back-endserver verify the authenticity of the request, based on cryptographicdata that complements those used to build the Authentication blob andwhich are known to the ASP. Said another way, the ASP may check theauthentication credentials (which are known to the ASP), inform theuser-to-provider mapping that the credentials look correct to the ASP,and request the user-to-provider mapping to verify the same. In one ormore embodiments, the RA may manage the input of user credentials, orobtain these credentials from other sources (e.g., from the Rich OS(316)). In that case, the RA may provide the user credentials to theuser-binding TA and simply request the computation of an authenticationblob.

Continuing with FIG. 4, at this stage, the user-to-provider mappingrequests the authorization entity in the back-end server to generate anauthorization token (ST 416). The authorization token, in one or moreembodiments, authorizes the installation of the authentication TA partof the ASP application on the specific device of the user. Theauthorization entity subsequently also verifies the signature of theAuthentication blob (ST 418), so that the authorization entity canguarantee the service provider that the generated authorization token isbound to the device of its user and not to another device. At thisstage, the user is bound to the TEE of his/her device. Lastly, in ST420, the TA part of the service provider application completesinstallation on the user device. Accordingly, once the user is bound tothe TEE included on the device in ST 408-ST 418, the TA part of thedivided ASP application initially requested to be downloaded by the useror the ASP is installed in the TEE of the device.

Although not shown in FIG. 4, the authorization entity in the back-endserver may store a mapping of the user to the TEE identifier of theuser's device to keep track of the owner of a particular device at agiven time. In one or more embodiments, when the device is passed to anew owner, it is assumed that at least the initial user performed afactory reset on the device. Once a factory reset is performed, allapplications installed within the TEE are wiped on the device.Accordingly, the process of FIG. 4 repeats to bind the TEE executing onthe device to the new user/owner of the device. In one or moreembodiments, the TEE identifier may additionally be bound to a givenuser of the device after factory reset i.e., the TEE identifier may becomposed of a device ID and a binding ID generated each time a factoryreset occurs.

The process of FIG. 4 described above results in a one-to-one mappingbetween the owner/user of a device and the TEE installed on the device.Thus, there exists a one-to-one binding between a single user, a singledevice, and a single application executing on the device, without anysharing of the authentication blob or user credential information. Thoseskilled in the art would appreciate that the process of FIG. 4 functionsindependently of the authentication method and of the organization ofthe authentication. For example, the user identity may be managed in theTEE, with a local authentication, or the user credentials may beincluded in the authentication blob and verified by the service providerupon receipt of the authentication blob. In one or more embodiments, asingle operation is performed in which the application is installed, theapplication triggers the interaction with the user via the trusted UIsession, and the content is secured. The second phase of this operation,during which the TA part is installed, is the personalization phase inwhich the user specific credentials are provisioned into the TA.

In one or more embodiments of the invention, after the process of FIG. 4has executed and the TA part of a secure ASP application has beeninstalled on the device, the TA part of the secure ASP application maybe used to verify the identity of the user each time the user logs intothe trusted application. For example, suppose that a secure bankingapplication has been successfully installed on the client device usingthe process of FIG. 4. When the user uses the secure banking applicationto perform one or more banking operations, the RA application part mayuse the TA part of the banking application to obtain user credentials tolog into the banking application. For example, this may be a usernameand password which logs the user into the secure banking application onthe user's electronic device.

Those of ordinary skill in the art will appreciate that the user-bindingmethod described in FIG. 4 is not limited to ensure a binding,authorizing installation of TA. Embodiments disclosed herein may be usedfor authorizing any application of the REE. Thus, although the inventionis critical for TAs, any other application including REE applicationsmay leverage the method of FIG. 4 to bind a user to a device.

Some operating systems allow multiple users having an account linked tothe same device. While the TEE ID is still unique per client device, theuser device binding process may permit identification and/orauthentication from the back-end perspective as to which user isrequesting the binding service because user credentials themselves areinvolved. Then, the back-end server and the TEE may apply a policy thatmay permit isolated TAs per user, in one or more embodiments.

One or more embodiments disclosed herein may be implemented on virtuallyany type of computing system regardless of the platform being used.Specifically, the authorization entity and each device described in FIG.1 may be implemented on any type of computing system. For example, thecomputing system may be one or more mobile devices (e.g., laptopcomputer, smart phone, personal digital assistant, tablet computer, orother mobile device), desktop computers, servers, blades in a serverchassis, or any other type of computing device or devices that includesat least the minimum processing power, memory, and input and outputdevice(s) to perform one or more embodiments.

For example, as shown in FIG. 5, the computing system (500) may includeone or more computer processor(s) (502), associated memory (504) (e.g.,random access memory (RAM), cache memory, flash memory, etc.), one ormore storage device(s) (506) (e.g., a hard disk, an optical drive suchas a compact disk (CD) drive or digital versatile disk (DVD) drive, aflash memory stick, etc.), and numerous other elements andfunctionalities. The computer processor(s) (502) may be an integratedcircuit for processing instructions. For example, the computerprocessor(s) may be one or more cores, or micro-cores of a processor.The computing system (500) may also include one or more input device(s)(510), such as a touchscreen, keyboard, mouse, microphone, touchpad,electronic pen, or any other type of input device. Further, thecomputing system (500) may include one or more output device(s) (508),such as a screen (e.g., a liquid crystal display (LCD), a plasmadisplay, touchscreen, cathode ray tube (CRT) monitor, projector, orother display device), a printer, external storage, or any other outputdevice. One or more of the output device(s) may be the same or differentfrom the input device. The computing system (500) may be connected to anetwork (512) (e.g., a local area network (LAN), a wide area network(WAN) such as the Internet, mobile network, or any other type ofnetwork) via a network interface connection (not shown). The input andoutput device(s) may be locally or remotely (e.g., via the network(512)) connected to the computer processor(s) (502), memory (504), andstorage device(s) (506). Many different types of computing systemsexist, and the aforementioned input and output device(s) may take otherforms.

Software instructions in the form of computer readable program code toperform embodiments may be stored, in whole or in part, temporarily orpermanently, on a non-transitory computer readable medium such as a CD,DVD, storage device, a diskette, a tape, flash memory, physical memory,or any other computer readable storage medium. Specifically, thesoftware instructions may correspond to computer readable program codethat, when executed by a processor(s), is configured to performembodiments disclosed herein.

One or more elements of the aforementioned computing system (500) may belocated at a remote location and connected to the other elements over anetwork (512). Further, embodiments may be implemented on a distributedsystem having a plurality of nodes, where each portion may be located ona different node within the distributed system. In one embodiment, thenode corresponds to a distinct computing device. Alternatively, the nodemay correspond to a computer processor with associated physical memory.The node may alternatively correspond to a computer processor ormicro-core of a computer processor with shared memory and/or resources.

While the invention has been described with respect to a limited numberof embodiments, those skilled in the art, having benefit of thisdisclosure, will appreciate that other embodiments can be devised whichdo not depart from the scope of embodiments as disclosed herein.Accordingly, the scope of embodiments disclosed herein should be limitedonly by the attached claims.

What is claimed is:
 1. A method, comprising: determining that a user hasinitiated an installation of a secure application on a device owned bythe user, the secure application comprising a rich application (RA) partand a trusted application (TA) part, wherein the rich application partoperates using resources shared with other applications, and wherein thetrusted application part operates in an isolated execution environmentwith functionality to provide security services to the rich applicationpart; installing the RA part of the secure application on the device;triggering, by the RA executing on the device, a trusted user interface(UI) session, upon realization that the TA part of the secureapplication is not installed in the isolated execution environment onthe device, wherein the trusted UI session is initiated to enforceuser-specific and device-specific security criteria; receiving, via thetrusted UI session, user credentials for authenticating the user;combining the user credentials with a unique identifier of the isolatedexecution environment in which the TA part of the secure applicationoperates to obtain combined user credentials; cryptographically signingthe combined user credentials with a cryptographic signature to obtainan authentication object, wherein the authentication object facilitatesthe enforcement of the user-specific and the device-specific securitycriteria; passing the authentication object to a service providerassociated with the secure application for extraction of the usercredentials; and generating, by an authorization entity, anauthorization token permitting the installation of the TA part of thesecure application, upon verification of the cryptographically signedauthentication object.
 2. The method of claim 1, wherein triggering atrusted UI session further comprises: requesting, by the RA part of thesecure application, a user-binding TA to initiate the trusted UIsession, wherein the user-binding TA is a system application that is anintegrated part of the isolated execution environment on the device. 3.The method of claim 1, further comprising: using the authorization tokento complete installation of the secure application by installing the TApart of the secure application within the isolated execution environmenton the device.
 4. The method of claim 1, further comprising: storing amapping of the user and the unique identifier in a user-to-providermapping on a back-end server, wherein the user-to-provider mapping isconfigured to perform the verification of the cryptographic signatureand the request for generation of the authorization token.
 5. The methodof claim 1, wherein the user credentials comprise at least one selectedfrom a group consisting of biometric information, a one-time password(OTP), a username, and a password.
 6. The method of claim 1, wherein thedevice is an Internet-enabled electronic device.
 7. The method of claim1, wherein the trusted UI session is configured to: obtain a derivedversion of the user credentials; and delete an original version of theuser credentials provided by the user via the trusted UI session,wherein the derived version of the user credentials are concatenatedwith the unique identifier and cryptographically signed to obtain theauthentication object.
 8. The method of claim 7, wherein the derivedversion of the user credentials is obtained by one of encrypting theoriginal version of the user credentials or hashing the usercredentials.
 9. The method of claim 1, wherein when the trusted UTsession is executing on the device, the trusted UI session presents asecurity indicator to the user.
 10. The method of claim 9, wherein thesecurity indicator is one selected from a group consisting of adedicated light on the device, a phrase or sentence known only to theuser displayed during the trusted UI session, or a picture provided bythe user displayed during the trusted UI session.
 11. The method ofclaim 1, further comprising: verifying the cryptographic signature bythe back-end server, resulting in a one-to-one binding between a singleuser, a single device, and a single application executing on the device.12. A system, comprising: a device on which the installation of a secureapplication is initiated by a user, wherein the device is owned by theuser; a service provider configured to provide the secure application tobe installed on the device, the secure application comprising a richapplication (RA) part and a trusted application (TA) part, wherein therich application part operates using resources shared with otherapplications, and wherein the trusted application part operates in anisolated execution environment with functionality to provide securityservices to the rich application part; and a back-end server comprisingan authorization entity configured to generate an authorization tokenpermitting installation of the TA part of the secure application, uponverification of an authentication object, wherein, when installation ofthe secure application is initiated by the user, the RA is configured torequest a user-binding TA in the isolated execution environment toinitiate a trusted user interface (UI) session by which user credentialsare obtained from the user, wherein the authentication object isgenerated by: combining the user credentials obtained via the trusted UIsession with a unique identifier of the isolated execution environmenton the device to obtain combined user credentials, and cryptographicallysigning the combined user credentials using a cryptographic signature toobtain the authentication object, wherein the service provider isfurther configured to receive the authentication object from the RA partof the secure application to check the user credentials, and wherein theback-end server is configured to verify the cryptographically signedauthentication object, and, using the verified authentication object,generate the authorization token authorizing the installation of the TApart of the secure application.
 13. The system of claim 12, wherein theback-end server is further configured to store a mapping of the user andthe unique identifier of the isolated execution environment on thedevice owned by the user in a user-to-provider mapping.
 14. The systemof claim 12, wherein the trusted UI session is configured to: obtain aderived version of the user credentials; and delete an original versionof the user credentials provided by the user via the trusted UI session,wherein the derived version of the user credentials are combined withthe unique identifier and cryptographically signed to obtain theauthentication object.
 15. The system of claim 14, wherein the derivedversion of the user credentials is obtained by one of encrypting theoriginal version of the user credentials or hashing the usercredentials.
 16. The system of claim 12, wherein when the trusted UIsession is executing on the device, the trusted UI session presents asecurity indicator to the user.
 17. The system of claim 16, wherein thesecurity indicator is one selected from a group consisting of adedicated light on the device, a phrase or sentence known only to theuser displayed during the trusted UI session, or a picture provided bythe user displayed during the trusted UI session.
 18. The system ofclaim 12, wherein the user-binding TA is a system application that is anintegrated part of the isolated execution environment on the device. 19.A non-transitory computer readable medium comprising instructions that,when executed by a computer processor, perform a method comprising:determining that a user has initiated an installation of a secureapplication on a device owned by the user, the secure applicationcomprising a rich application (RA) part and a trusted application (TA)part, wherein the rich application part operates using resources sharedwith other applications, and wherein the trusted application partoperates in an isolated execution environment with functionality toprovide security services to the rich application part; installing theRA part of the secure application on the device; triggering, by the RAexecuting on the device, a trusted user interface (UI) session, uponrealization that the TA part of the secure application is not installedin the isolated execution environment on the device, wherein the trustedUI session is initiated to enforce user-specific and device-specificsecurity criteria; receiving, via the trusted UI session, usercredentials for authenticating the user; combining the user credentialswith a unique identifier of the isolated execution environment in whichthe TA part of the secure application operates to obtain combined usercredentials; cryptographically signing the combined user credentialswith a cryptographic signature to obtain an authentication object,wherein the authentication object facilitates the enforcement of theuser-specific and the device-specific security criteria; passing theauthentication object to a service provider associated with the secureapplication for extraction of the user credentials; and generating, byan authorization entity, an authorization token permitting theinstallation of the TA part of the secure application, upon verificationof the cryptographically signed authentication object.
 20. Thenon-transitory computer readable medium of claim 19, wherein the trustedUI session is configured to: obtain a derived version of the usercredentials; and delete an original version of the user credentialsprovided by the user via the trusted UI session, wherein the derivedversion of the user credentials are concatenated with the uniqueidentifier and cryptographically signed to obtain the authenticationobject.
 21. The non-transitory computer readable medium of claim 20,wherein when the trusted UI session is executing on the device, thetrusted UI session presents a security indicator to the user.
 22. Thenon-transitory computer readable medium of claim 19, wherein triggeringa trusted UI session further comprises: requesting, by the RA part ofthe secure application, a user-binding TA to initiate the trusted UIsession, wherein the user-binding TA is a system application that is anintegrated part of the isolated execution environment on the device.